"StegaBin" hides C2 in Pastebin zero-width characters and ships malicious npm packages
Contents
Socket and Kmsec.uk reported a new npm supply-chain attack called StegaBin, attributed to the North Korean threat cluster Famous Chollima. Between February 25 and 26, 2026, 26 malicious npm packages were published. They hid C2 URLs in Pastebin essays using zero-width Unicode characters. Socket detected the first package within two minutes of publication and flagged every package as unsafe within minutes.
Famous Chollima and Contagious Interview
Famous Chollima is a North Korea-linked cluster tracked by CrowdStrike and associated with Lazarus Group. Since late 2023 it has run a campaign called Contagious Interview: fake recruiter messages on LinkedIn, a technical interview excuse, a Node.js project to run, and an infection chain that eventually deploys BeaverTail and InvisibleFerret.
StegaBin extends that playbook to npm. No interview is needed; npm install alone is enough to infect a victim.
The 26 packages
The malicious packages were published from disposable accounts:
argonist bcryptance bee-quarl bubble-core
corstoken daytonjs ether-lint expressjs-lint
fastify-lint formmiderable hapi-lint iosysredis
jslint-config jsnwebapptoken kafkajs-lint loadash-lint
mqttoken prism-lint promanage sequelization
typoriem undicy-lint uuindex vitetest-lint
windowston zoddleThey mimic popular packages such as bcrypt, lodash, express, winston, and zod, and use suffixes like -lint, token, or js to look legitimate.
How the steganography works
The core trick is hiding C2 URLs in zero-width Unicode characters inside a Pastebin essay.
Zero-width Unicode characters
| Character | Code point | Original use |
|---|---|---|
| ZWSP | U+200B | Possible line break hint |
| ZWNJ | U+200C | Prevent ligatures |
| ZWJ | U+200D | Force character joining |
| Zero Width No-Break Space | U+FEFF | BOM / encoding marker |
| Word Joiner | U+2060 | Prevent line breaks |
These are legitimate Unicode characters, so security tools cannot simply treat every zero-width character as malicious.
Decoding flow
The attacker posted a harmless-looking essay to Pastebin and replaced evenly spaced characters with characters from the C2 address. The decoder in vendor/scrypt-js/version.js does the following:
- Remove zero-width Unicode characters
- Read the first five characters as the payload length
- Extract characters at even intervals
- Split the result at
|||and restore the C2 sequence using===END===
flowchart TD
A["npm install"] --> B["install script runs automatically"]
B --> C["Fetch essay from Pastebin"]
C --> D["Decode zero-width characters"]
D --> E["Restore C2 domain"]
E --> F["Download from 31 Vercel deployments"]
F --> G["Run OS-specific payload"]
G --> H["Deploy 9-module RAT"]The code itself does not contain the C2 URL. Only the Pastebin post changes when the operator wants to rotate infrastructure.
Vercel delivery infrastructure
After restoring the C2 domain, the malware downloads platform-specific shell scripts and RAT components from 31 Vercel deployments. Only one was active during analysis, such as ext-checkdin.vercel[.]app.
Using Vercel’s free tier keeps infrastructure costs near zero and provides redundancy if one deployment is taken down.
The 9-module RAT
vs Node.js VS Code persistence via `tasks.json`
clip Node.js Keylogger / mouse tracker / clipboard theft
bro Python Browser credential theft
j Node.js Crypto wallet theft
z Node.js File-system enumeration
n Node.js WebSocket RAT to 103.106.67[.]63:1247
truffle Node.js Runs real TruffleHog to steal secrets
git Node.js Collects `.ssh` and Git credentials
sched Node.js Persistence via redeploying the loaderThe C2 server uses port 1244 for commands and 1247 for the WebSocket RAT. The IP overlaps with older Famous Chollima infrastructure.
Why attribution is solid
Threat-intelligence investigators found several operational-security mistakes: disposable email services had public inboxes, and the same addresses were used for job-platform signups. The IPs exposed through npm notification emails pointed to VPN and ISP infrastructure that matched the group’s past behavior.
Related loader and comparison
A related package called express-core-validator was also found to carry a Google Drive-based stager.
Compared with the February SANDWORM_MODE campaign, the differences are significant:
| SANDWORM_MODE | StegaBin | |
|---|---|---|
| Actor | Unknown | Famous Chollima (North Korea) |
| Number of packages | 19 | 26 |
| Public accounts | 2 | 26 disposable accounts |
| C2 hiding | Base64 + XOR obfuscation | Pastebin steganography |
| Delivery infrastructure | Cloudflare Worker | 31 Vercel deployments |
| Automatic propagation | 3-path worm | None |
| AI-targeting | MCP injection | None |
| Persistence | git hook + MCP tampering | VS Code tasks.json |
| Feature | Polymorphic code transformation | Zero-width Unicode steganography |